Canada’s efforts to update its privacy laws progress at a snail’s pace, prompting a stern warning from its privacy commissioner that Canada stands to lose not only public trust in government but also good standing with European trading partners.
Privacy Commissioner Daniel Therrien held a news conference Oct. 8 to discuss his annual report a year after revealing serious weaknesses within Canada’s privacy legislation. More than a year later, things haven’t gotten much better.
“Back in May 2019, the crisis of trust led the federal government to propose a Digital Charter, which includes plans to update PIPEDA. The government has since reiterated its intent to reform both PIPEDA and the Privacy Act,” Therrien noted in his report.
The 10-principle Digital Charter promises to apply to future legislation and regulation, including the suggestion of unspecified serious fines to the private sector for not protecting privacy. But according to the OPC, Canada’s inaction towards making any progress on those efforts is concerning.
“More than a year later, we have yet to see the specific ways in which our legislative framework would be modernized to live up to the challenges of the digital age – and to Canadians’ expectations,” the report said. “Canada used to be a leader in privacy law, but has clearly fallen behind other jurisdictions in the world.”
Additionally, the European Privacy Commissioner is on the verge of deciding whether or not Canada’s privacy laws are up to snuff, a decision that could have serious implications for businesses with European customers. Some provinces, he says, have grown impatient and are moving forward with updating their privacy laws. Quebec, for example, introduced Bill-64, which is meant to bring its privacy laws more in-line with the General Data Protection Regulation.
Therrien also slammed the federal government’s reluctance to make privacy a fundamental right, something eight other trading partners managed to accomplish over the past decade. The OPC report says these factors are contributing to Canadian’s overall concerns protecting private data. A recent OPC public opinion research paper says approximately 90 per cent of Canadians are concerned about their inability to protect their privacy. Only 38 per cent believe businesses respect their privacy rights, while just 55 per cent believe the government respects their privacy.
Breaches still going un-reported
In the past 12 months, the OPC says it accepted 341 breach reports, an increase from 155 a year prior. But don’t let the increase fool you, Therrien wrote.
“While the number of institutions that reported breaches to our office increased from 29 to 34 this year, this number represents less than 14 per cent of the approximately 250 organizations that are subject to the Privacy Act.”
Employment and Social Development Canada – the department responsible for social programs and the labour market at the federal level – accounted for 211 of the 341 received breach reports. Therrian also expressed concerns around the lack of reporting from other federal institutions such as the SBSA, Global Affairs Canada and Veterans Affairs Canada.
“We continue to believe that the number of privacy breaches reported to our office represents only the tip of the iceberg. Action is needed to address systemic under-reporting.”
Most reported breaches (85 per cent) from federal institutions in Canada over the past year are related to data that has been lost or accidentally disclosed. Meanwhile, during that same period, 32 per cent of the reports the OPC received under PIPEDA – The Personal Information Protection and Electronic Documents Act that governs how private sector organizations collect, use and disclose personal information – were related to accidental disclosure or loss.
There were also 18 reports tied to data theft (making up five per cent of all reports). The remaining 32 reported breaches involved unauthorized access, including 24 reports of unauthorized access by employees.
“We note with some concern that very few privacy breach reports we receive from federal institutions mention cyberattacks,” Therrian wrote, citing the five reported cybersecurity events mentioned in all breaches. Under PIPEDA, 42 per cent of incidents reported to the OPC is attributed to malware, ransomware, social engineering, password attacks or other cyber threats.
“It is unclear why there is such a significant discrepancy between the numbers,” he added.
Complaints under the Privacy Act go down
When it comes to complaints, the OPC says it accepted 761 of them in the past 12 months, a decrease from a year prior. But Therrian described the changes made to the way complaints are tracked, which he says are likely contributing to the annual decrease.
“Since April 1, 2019, when an individual’s complaint about a single matter represents potential contraventions of multiple sections of the Privacy Act, or when an individual complains following multiple access requests made to one institution, we track and report these as a single complaint.”
“In our view, this method more accurately represents the number of individuals raising privacy concerns, and provides a more consistent picture of our work across both the Privacy Act and PIPEDA.”